CVE-2024-7804

Name of the Vulnerable Software and Affected Versions pytorch/pytorch versions <=2.3.1

Description A deserialization vulnerability exists in the Pytorch RPC framework, allowing an attacker to execute arbitrary code remotely by sending a malicious serialized PythonUDF object. This flaw leads to remote code execution on the master node due to the lack of security verification during the deserialization process of PythonUDF objects in pytorch/torch/distributed/rpc/internal.py.

Recommendations For versions <=2.3.1, update to a version greater than 2.3.1 to resolve the issue. As a temporary workaround, consider disabling the use of PythonUDF objects in the torch.distributed.rpc framework until a patch is available. Restrict access to the torch.distributed.rpc module to minimize the risk of exploitation. Avoid using the PythonUDF object in the affected API endpoint until the issue is resolved.